Martin was once rumoured to have said:
> > ... and here I was expecting you to say "but how do you compile a C
> > program in a chrooted environment", and I was going to say "well okay,
> > you do have a point, so the end result would be the same chicken/egg
> > problem with one needing a binary to get out of the chroot", which
> > either Terry, Crossfire or Angus would rebuke further... etc, etc.
>
> well, what is stopping that same program compiled on a similar box being
> downloaded and run from within the chroot environment...
>
> so, you then remove all means of transferring files from within the
> chroot environment...
>
> where do you stop??? ...my head hurts!
>
> > I'd imagine that a chrooted bind that isn't running as root would be
> > safer.
> ^^^^^
>
> emphasis on the "safer" which != "safe"...
>
> on the subject of bind, has anyone researched the alternatives to bind?
> anyone used djbdns?
djbdns is not really suitable for use on public DNS servers. That,
and it doesn't cache [it relies upon dnscache to do that], which makes
it moderately useless. It also doesn't support AFXR, which means
you'll be manually updating your secondaries. It is on my "not
recommended list".
Yes, I do have a grudge against djb - I wouldn't have it if he didn't
release crap and hide it behind his security guaranty.
bind is good. Bind will work chrooted. Bind will work surrendering
priveledges. You can't escape a chroot once you've surrendered root
privs (unless your chrooted environment foolishly includes setuid
binaries). OpenBSD knows this, and ships their bind configuration to
chroot jail and surrender root by default. However, bind sucks for
dynamic tables. Do not use bind for dynip stuff. (I use bind myself,
mostly because I've been using Bind4 and Bind8 for years - that, and
my `dynip' table has a very low rate of change, and I use magic,
rather than the dynamic DNS update mechanisms to set it)
There is also Dents which is a viable replacement for Bind. Dents
also supports drop-in namespace modules. Dents works with
Supersparrow. I haven't used dents, so I can't vouch for its feature
set, however Dents sounds like the right thing by implementing the
featureset, and making it behave in a sane manner.
Yes, these are *MY* opinions.
C.
--
--==============================================--
Crossfire | This email was brought to you
[EMAIL PROTECTED] | on 100% Recycled Electrons
--==============================================--
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
